Opened 8 years ago

Closed 8 years ago

#7129 closed enhancement (fixed)

libpng-1.6.19

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

I understand after post:

http://sourceforge.net/p/png-mng/mailman/message/34616350/

that this release fixes a vulnerability:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126

Vulnerability Summary for CVE-2015-8126
Original release date: 11/12/2015
Last revised: 11/12/2015
Source: US-CERT/NIST

This vulnerability is currently undergoing analysis and not all
information is available.

Please check back soon to view the completed vulnerability summary.

Overview

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x
and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19
allow remote attackers to cause a denial of service (application crash)
or possibly have unspecified other impact via a small bit-depth value in
an IHDR (aka image header) chunk in a PNG image.

http://downloads.sourceforge.net/libpng/libpng-1.6.19.tar.xz

http://downloads.sourceforge.net/libpng/libpng-1.6.19.tar.xz.asc

http://downloads.sourceforge.net/libpng-apng/libpng-1.6.19-apng.patch.gz

Patch not yet released. Will not place in hold, because usually takes a couple of days to be released, when it is not already available.

http://sourceforge.net/p/png-mng/mailman/message/34615056/

[png-mng-implement] libpng-1.0.64, 1.4.17, 1.2.54, 1.5.24, and libpng-1.6.19 are available
From: Glenn Randers-Pehrson <glennrp@gm...> - 2015-11-12 16:08:46
Attachments: Message as HTML    

libpng-1.0.64, 1.2.54, 1.4.17, 1.5.24, and libpng-1.6.19 are
available from
ftp:ftp.simplesystems.org/pub/png/src/
and from
http://libpng.sf.net

These are security releases that fix a potential out-of-bounds
read in png_set_tIME()/png_convert_to_rfc1123() and a potential
out-of-bounds write in png_get_PLTE()/png_set_PLTE() in all previous
versions.

Glenn

Libpng 1.6.19 - November 12, 2015
Changes since the last public release (1.6.18):
  Updated obsolete information about the simplified API macros in the
    manual pages (Bug report by Arc Riley).
  Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
  Rearranged png.h to put the major sections in the same order as
    in libpng17.
  Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and
    PNG_WEIGHT_FACTOR macros.
  Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler
    (Bug report by Viktor Szakats).  Several warnings remain and are
    unavoidable, where we test for overflow.
  Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
  Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
  Moved config.h.in~ from the "libpng_autotools_files" list to the
    "libpng_autotools_extra" list in autogen.sh because it was causing a
    false positive for missing files (bug report by Robert C. Seacord).
  Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c
    to suppress clang warnings (Bug report by Viktor Szakats).
  Fixed some bad links in the man page.
  Changed "n bit" to "n-bit" in comments.
  Added signed/unsigned 16-bit safety net. This removes the dubious
    0x8000 flag definitions on 16-bit systems. They aren't supported
    yet the defs *probably* work, however it seems much safer to do this
    and be advised if anyone, contrary to advice, is building libpng 1.6
    on a 16-bit system. It also adds back various switch default clauses
    for GCC; GCC errors out if they are not present (with an appropriately
    high level of warnings).
  Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
    Seacord).
  Fixed the recently reported 1's complement security issue by replacing
    the value that is illegal in the PNG spec, in both signed and unsigned
    values, with 0. Illegal unsigned values (anything greater than or equal
    to  0x80000000) can still pass through, but since these are not illegal
    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
    occurs later can catch them (John Bowler).
  Fixed png_save_int_32 when int is not 2's complement (John Bowler).
  Updated libpng16 with all the recent test changes from libpng17,
    including changes to pngvalid.c to ensure that the original,
    distributed, version of contrib/visupng/cexcept.h can be used
    (John Bowler).
  pngvalid contains the correction to the use of SAVE/STORE_
    UNKNOWN_CHUNKS; a bug revealed by changes in libpng 1.7. More
    tests contain the --strict option to detect warnings and the
    pngvalid-standard test has been corrected so that it does not
    turn on progressive-read. There is a separate test which does
    that. (John Bowler)
  Also made some signed/unsigned fixes.
  Make pngstest error limits version specific. Splitting the machine
    generated error structs out to a file allows the values to be updated
    without changing pngstest.c itself. Since libpng 1.6 and 1.7 have
    slightly different error limits this simplifies maintenance. The
    makepngs.sh script has also been updated to more accurately reflect
    current problems in libpng 1.7 (John Bowler).
  Incorporated new test PNG files into make check.  tests/pngstest-*
    are changed so that the new test files are divided into 8 groups by
    gamma and alpha channel.  These tests have considerably better code
    and pixel-value coverage than contrib/pngsuite; however,coverage is
    still incomplete (John Bowler).
  Removed the '--strict' in 1.6 because of the double-gamma-correction
    warning, updated pngstest-errors.h for the errors detected with the
    new contrib/testspngs PNG test files (John Bowler).
  Worked around rgb-to-gray issues in libpng 1.6.  The previous
    attempts to ignore the errors in the code aren't quite enough to
    deal with the 'channel selection' encoding added to libpng 1.7; abort.
  Fixed 'pow' macros in pngvalid.c. It is legal for 'pow' to be a
    macro, therefore the argument list cannot contain preprocessing
    directives.  Make sure pow is a function where this happens. This is
    a minimal safe fix, the issue only arises in non-performance-critical
    code (bug report by Curtis Leach, fix by John Bowler).
  Added sPLT support to pngtest.c
  Prevent setting or writing over-length PLTE chunk (Cosmin Truta).
  Silently truncate over-length PLTE chunk while reading.
  Libpng incorrectly calculated the output rowbytes when the application
    decreased either the number of channels or the bit depth (or both) in
    a user transform.  This was safe; libpng overallocated buffer space
   (potentially by quite a lot; up to 4 times the amount required) but,
   from 1.5.4 on, resulted in a png_error (John Bowler).
  Fixed some inconsequential cut-and-paste typos in
png_set_cHRM_XYZ_fixed().
  Clarified COPYRIGHT information to state explicitly that versions
    are derived from previous versions.
  Removed much of the long list of previous versions from png.h and
    libpng.3.

http://downloads.sourceforge.net/libpng/libpng-1.6.19-README.txt

Libpng 1.6.19 - July 23, 2015

This is a public release of libpng, intended for use in production codes.

Changes since the last public release (1.6.17):
  Removed PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED macros.  They
    have been combined with PNG_SET_USER_LIMITS_SUPPORTED (resolves
    bug report by Andrew Church).
  Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c.  This
    fixes some arithmetic errors that caused some tests to fail on
    some 32-bit platforms (Bug reports by Peter Breitenlohner [i686]
    and Petr Gajdos [i586]).
  Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler
    (Bug report by Viktor Szaka'ts).
  Replaced "unexpected" with an integer (0xabadca11) in pngset.c where a
    long was expected, to avoid a compiler warning when PNG_DEBUG > 1.
  Added contrib/examples/simpleover.c, to demonstrate how to handle
    alpha compositing of multiple images, using the "simplified API"
    and an example PNG generation tool, contrib/examples/genpng.c
    (John Bowler).
  PNG_RELEASE_BUILD replaces tests where the code depended on the build
    base type and can be defined on the command line, allowing testing
    in beta builds (John Bowler).
  Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c
  Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
    report from Christopher Ferris).
  Backport filter selection code from libpng-1.7.0beta51, to combine
    sub_row, up_row, avg_row, and paeth_row into try_row and tst_row.
  Changed png_voidcast(), etc., to voidcast(), etc., in
    contrib/tools/pngfix.c to avoid confusion with the libpng private
    macros.
  Fixed old cut&paste bug in the weighted filter selection code in
    pngwutil.c, introduced in libpng-0.95, March 1997.
  Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the
    compiled library size. It never worked properly and as far as we can
    tell, no one uses it. The png_set_filter_heuristics() and
    png_set_filter_heuristics_fixed() APIs are retained but deprecated
    and do nothing.
  Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c,
    pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt
    would only work with iTXt chunks with length 255 or less.
  Removed non-working progressive reader 'skip' function. This
    function has apparently never been used. It was implemented
    to support back-door modification of png_struct in libpng-1.4.x
    but (because it does nothing and cannot do anything) was apparently
    never tested (John Bowler).
  Fixed cexcept.h in which GCC 5 now reports that one of the auto
    variables in the Try macro needs to be volatile to prevent value
    being lost over the setjmp (John Bowler).
  Added #ifdef's to contrib/examples programs so people don't try
    to compile them without the minimum required support enabled
    (suggested by Flavio Medeiros).
  Eliminated the final two Coverity defects (insecure temporary file
    handling in contrib/libtests/pngstest.c; possible overflow of
    unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure"
    file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will
    be used.
  Removed some unused WEIGHTED_FILTER macros from pngstruct.h
  Replaced arbitrary use of 'extern' with #define PNG_LINKAGE_*.  To
    preserve API compatibility, the new defines all default to "extern"
    (requested by Jan Nijtmans).
  Belatedly added Mans Rullgard and James Yu to the list of Contributing
    Authors.

Glenn R-P

http://downloads.sourceforge.net/libpng-apng/libpng-1.6.19-apng.patch.README.txt

Updated to libpng-1.6.19 codebase

Change History (5)

comment:1 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

comment:2 by Fernando de Oliveira, 8 years ago

I am worried, because this is a vulnerability fix.

Not yet available libpng-1.6.19-apng.patch.gz at the unusual URL:

http://downloads.sourceforge.net/libpng-apng/libpng-1.6.19-apng.patch.gz

This has occurred a couple of times, before.

Gentoo is using a patch from

http://downloads.sourceforge.net/project/apng/libpng/libpng16/libpng-1.6.19-apng.patch.gz

ISTR having done that before, when the usual one was too much delayed, and later fixing back the book.

Before comparing the two patches, my question is should we temporarily use the latter patch?

I have downloaded version 1.6.18, for comparison.

A diff between the patches is difficult to understand, because modified files are not at the same order. Another problem is that the unusual patch needs to be applied with p0, not p1.

Another test I did was to apply each patch and diff the two patched codes:

--- libpng-1.6.18.new/LICENSE	2015-11-14 07:31:41.227754213 -0300
+++ libpng-1.6.18.usual/LICENSE	2015-07-23 00:36:41.000000000 -0300
-This modified version of libpng code adds animated PNG support. This code is
-released under the libpng license described below. The modifications are
-Copyright (c) 2006-2007 Andrew Smith, Copyright (c) 2008-2015 Max Stepin,
-and can be identified by "#ifdef PNG_APNG_SUPPORTED / #endif" directives
-surrounding them in the modified libpng source files.
-
--- libpng-1.6.18.new/pngget.c	2015-11-14 07:31:41.228754190 -0300
+++ libpng-1.6.18.usual/pngget.c	2015-11-14 07:32:16.602930736 -0300
-        (info_ptr->valid & PNG_INFO_acTL) != 0 &&
+        (info_ptr->valid & PNG_INFO_acTL) &&
-        (info_ptr->valid & PNG_INFO_fcTL) != 0 &&
+        (info_ptr->valid & PNG_INFO_fcTL) &&
-#endif /* APNG */
+#endif /* PNG_APNG_SUPPORTED */
--- libpng-1.6.18.new/png.h	2015-11-14 07:31:41.229754167 -0300
+++ libpng-1.6.18.usual/png.h	2015-11-14 07:32:16.601930759 -0300
- * This modified version of libpng code adds animated PNG support. This code is
- * released under the libpng license described below. The modifications are
- * Copyright (c) 2006-2007 Andrew Smith, Copyright (c) 2008-2015 Max Stepin,
- * and can be identified by "#ifdef PNG_APNG_SUPPORTED / #endif" directives
- * surrounding them in the modified libpng source files.
- *
-#endif /* APNG */
+#endif /* PNG_APNG_SUPPORTED */
-
-#endif /* PROGRESSIVE_READ */
-#endif /* READ_APNG */
+#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
+#endif /* PNG_READ_APNG_SUPPORTED */
-#endif /* WRITE_APNG */
-#endif /* APNG */
+#endif /* PNG_WRITE_APNG_SUPPORTED */
+#endif /* PNG_APNG_SUPPORTED */
-#endif /* APNG */
+#endif /* PNG_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngpread.c	2015-11-14 07:31:41.231754120 -0300
+++ libpng-1.6.18.usual/pngpread.c	2015-11-14 07:32:16.603930713 -0300
-         if ((png_ptr->mode & PNG_HAVE_fcTL) != 0 ||
-             png_ptr->num_frames_read > 1)
+         if (png_ptr->mode & PNG_HAVE_fcTL || png_ptr->num_frames_read > 1)
-         PNG_PUSH_SAVE_BUFFER_IF_FULL
-         png_crc_finish(png_ptr, png_ptr->push_length);
+         if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+         {
+            png_push_save_buffer(png_ptr);
+            return;
+         }
+
+         return;
-
-         PNG_PUSH_SAVE_BUFFER_IF_LT(4)
+         if (png_ptr->buffer_size < 4)
+         {
+            png_push_save_buffer(png_ptr);
+            return;
+         }
+
-         if ((png_ptr->mode & PNG_HAVE_fcTL) == 0)
+         if (!(png_ptr->mode & PNG_HAVE_fcTL))
-            PNG_PUSH_SAVE_BUFFER_IF_FULL
-            png_crc_finish(png_ptr, png_ptr->push_length);
+            if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+            {
+               png_push_save_buffer(png_ptr);
+               return;
+            }
+
+            return;
+
+            return;
-         PNG_PUSH_SAVE_BUFFER_IF_FULL
+         if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+         {
+            png_push_save_buffer(png_ptr);
+            return;
+         }
+
-         if ((png_ptr->mode & PNG_HAVE_fcTL) == 0)
+         if (!(png_ptr->mode & PNG_HAVE_fcTL))
-      }
-      else if (chunk_name == png_IEND)
-      {
-         PNG_PUSH_SAVE_BUFFER_IF_FULL
-         png_warning(png_ptr, "Number of actual frames fewer than expected");
-         png_crc_finish(png_ptr, png_ptr->push_length);
-         png_ptr->process_mode = PNG_READ_DONE_MODE;
-         png_push_have_end(png_ptr, info_ptr);
+         return;
-         PNG_PUSH_SAVE_BUFFER_IF_FULL
+         if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+         {
+            png_push_save_buffer(png_ptr);
+            return;
+         }
-         png_crc_finish(png_ptr, png_ptr->push_length);
+         return;
-#endif /* READ_APNG */
+#endif /* PNG_READ_APNG_SUPPORTED */
-
-      PNG_PUSH_SAVE_BUFFER_IF_FULL
+      if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+      {
+         png_push_save_buffer(png_ptr);
+         return;
+      }
+
-      PNG_PUSH_SAVE_BUFFER_IF_FULL
+      if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+      {
+         png_push_save_buffer(png_ptr);
+         return;
+      }
+
-#endif /* READ_APNG */
+#endif /* PNG_READ_APNG_SUPPORTED */
+
-          if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) != 0)
+          if (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)
-              PNG_PUSH_SAVE_BUFFER_IF_FULL
+              if (png_ptr->push_length + 4 > png_ptr->buffer_size)
+              {
+                 png_push_save_buffer(png_ptr);
+                 return;
+              }
-   if ((png_ptr->apng_flags & PNG_APNG_APP) == 0 &&
-      png_ptr->num_frames_read > 0)
+   if (!(png_ptr->apng_flags & PNG_APNG_APP) && png_ptr->num_frames_read > 0)
-      png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
-      return;
+     png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
+     return;
--- libpng-1.6.18.new/pngpriv.h	2015-11-14 07:31:41.230754143 -0300
+++ libpng-1.6.18.usual/pngpriv.h	2015-11-14 07:32:16.605930666 -0300
+/* Added at libpng version 1.6.0 */
+#ifdef PNG_GAMMA_SUPPORTED
+PNG_INTERNAL_FUNCTION(void,png_colorspace_set_gamma,(png_const_structrp png_ptr,
+    png_colorspacerp colorspace, png_fixed_point gAMA), PNG_EMPTY);
+   /* Set the colorspace gamma with a value provided by the application or by
+    * the gAMA chunk on read.  The value will override anything set by an ICC
+    * profile.
+    */
+
+PNG_INTERNAL_FUNCTION(void,png_colorspace_sync_info,(png_const_structrp png_ptr,
+    png_inforp info_ptr), PNG_EMPTY);
+    /* Synchronize the info 'valid' flags with the colorspace */
+
+PNG_INTERNAL_FUNCTION(void,png_colorspace_sync,(png_const_structrp png_ptr,
+    png_inforp info_ptr), PNG_EMPTY);
+    /* Copy the png_struct colorspace to the info_struct and call the above to
+     * synchronize the flags.  Checks for NULL info_ptr and does nothing.
+     */
+#endif
+
-   png_byte dispose_op, png_byte blend_op),PNG_EMPTY);
+   png_byte dispose_op, png_byte blend_op), PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_handle_acTL,(png_structp png_ptr,
-   png_infop info_ptr, png_uint_32 length),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_handle_fcTL,(png_structp png_ptr,
-   png_infop info_ptr, png_uint_32 length),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_handle_fdAT,(png_structp png_ptr,
-   png_infop info_ptr, png_uint_32 length),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_have_info,(png_structp png_ptr,
-   png_infop info_ptr),PNG_EMPTY);
+PNG_INTERNAL_FUNCTION(void,png_handle_acTL,(png_structp png_ptr, png_infop info_ptr,
+   png_uint_32 length),PNG_EMPTY);
+PNG_INTERNAL_FUNCTION(void,png_handle_fcTL,(png_structp png_ptr, png_infop info_ptr,
+   png_uint_32 length),PNG_EMPTY);
+PNG_INTERNAL_FUNCTION(void,png_handle_fdAT,(png_structp png_ptr, png_infop info_ptr,
+   png_uint_32 length),PNG_EMPTY);
+PNG_INTERNAL_FUNCTION(void,png_have_info,(png_structp png_ptr, png_infop info_ptr),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_progressive_read_reset,(png_structp png_ptr),
-   PNG_EMPTY);
-#endif /* PROGRESSIVE_READ */
-#endif /* READ_APNG */
+PNG_INTERNAL_FUNCTION(void,png_progressive_read_reset,(png_structp png_ptr),PNG_EMPTY);
+#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
+#endif /* PNG_READ_APNG_SUPPORTED */
-#endif /* WRITE_APNG */
-#endif /* APNG */
-
-/* Added at libpng version 1.6.0 */
-#ifdef PNG_GAMMA_SUPPORTED
-PNG_INTERNAL_FUNCTION(void,png_colorspace_set_gamma,(png_const_structrp png_ptr,
-    png_colorspacerp colorspace, png_fixed_point gAMA), PNG_EMPTY);
-   /* Set the colorspace gamma with a value provided by the application or by
-    * the gAMA chunk on read.  The value will override anything set by an ICC
-    * profile.
-    */
-
-PNG_INTERNAL_FUNCTION(void,png_colorspace_sync_info,(png_const_structrp png_ptr,
-    png_inforp info_ptr), PNG_EMPTY);
-    /* Synchronize the info 'valid' flags with the colorspace */
-
-PNG_INTERNAL_FUNCTION(void,png_colorspace_sync,(png_const_structrp png_ptr,
-    png_inforp info_ptr), PNG_EMPTY);
-    /* Copy the png_struct colorspace to the info_struct and call the above to
-     * synchronize the flags.  Checks for NULL info_ptr and does nothing.
-     */
-#endif
+#endif /* PNG_WRITE_APNG_SUPPORTED */
+#endif /* PNG_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngread.c	2015-11-14 07:31:41.228754190 -0300
+++ libpng-1.6.18.usual/pngread.c	2015-11-14 07:32:16.606930644 -0300
-    if ((png_ptr->mode & PNG_HAVE_acTL) == 0)
+    if (!(png_ptr->mode & PNG_HAVE_acTL))
-            if (have_chunk_after_DAT != 0 || png_ptr->num_frames_read > 1)
+            if (have_chunk_after_DAT || png_ptr->num_frames_read > 1)
-            if (have_chunk_after_DAT == 0 && png_ptr->num_frames_read > 1)
+            if (!have_chunk_after_DAT && png_ptr->num_frames_read > 1)
-#endif /* READ_APNG */
+#endif /* PNG_READ_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngrutil.c	2015-11-14 07:31:41.233754073 -0300
+++ libpng-1.6.18.usual/pngrutil.c	2015-11-14 07:32:16.608930597 -0300
-    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
+    if (!(png_ptr->mode & PNG_HAVE_IHDR))
-    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
+    else if (png_ptr->mode & PNG_HAVE_IDAT)
-    else if ((png_ptr->mode & PNG_HAVE_acTL) != 0)
+    else if (png_ptr->mode & PNG_HAVE_acTL)
-    if (didSet != 0)
+    if(didSet)
-    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
+    if (!(png_ptr->mode & PNG_HAVE_IHDR))
-    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
+    else if (png_ptr->mode & PNG_HAVE_IDAT)
-    else if ((png_ptr->mode & PNG_HAVE_fcTL) != 0)
+    else if (png_ptr->mode & PNG_HAVE_fcTL)
-    if ((info_ptr->valid & PNG_INFO_acTL) != 0 &&
-        (info_ptr->valid & PNG_INFO_fcTL) == 0)
+    if((info_ptr->valid & PNG_INFO_acTL) && !(info_ptr->valid & PNG_INFO_fcTL))
-#endif /* READ_APNG */
+#endif /* PNG_READ_APNG_SUPPORTED */
-
-#endif /* READ_APNG */
-
+#endif /* PNG_READ_APNG_SUPPORTED */
-    if (png_ptr->prev_row != NULL)
+    if (png_ptr->prev_row)
-    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
+   /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
-    /* Start of interlace block */
-    static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
+   /* Start of interlace block */
+    const int png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
-    static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
+    const int png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
-    static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
+    const int png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
-    static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
+    const int png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
-    if (png_ptr->interlaced != 0)
+    if (png_ptr->interlaced)
-        if ((png_ptr->transformations & PNG_INTERLACE) == 0)
+        if (!(png_ptr->transformations & PNG_INTERLACE))
-#endif /* READ_INTERLACING */
+#endif /* PNG_READ_INTERLACING_SUPPORTED */
-#endif /* PROGRESSIVE_READ */
-#endif /* READ_APNG */
+#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
+#endif /* PNG_READ_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngset.c	2015-11-14 07:31:41.232754097 -0300
+++ libpng-1.6.18.usual/pngset.c	2015-11-14 07:32:16.609930575 -0300
-                    "Ignoring attempt to set acTL with num_plays > 2^31-1");
+                    "Ignoring attempt to set acTL with num_plays "
+                    "> 2^31-1");
-        if ((png_ptr->color_type & PNG_COLOR_MASK_ALPHA) == 0 &&
-            png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS) == 0)
+        if (!(png_ptr->color_type & PNG_COLOR_MASK_ALPHA) &&
+            !(png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)))
-        png_error(png_ptr, "dimensions of a frame are greater than "
+        png_error(png_ptr, "dimensions of a frame are greater than"
-    if (is_hidden != 0)
+    if (is_hidden)
-#endif /* APNG */
+#endif /* PNG_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngstruct.h	2015-11-14 07:31:41.230754143 -0300
+++ libpng-1.6.18.usual/pngstruct.h	2015-11-14 07:32:16.609930575 -0300
-#endif /* APNG */
+#endif /* PNG_APNG_SUPPORTED */
--- libpng-1.6.18.new/pngtest.c	2015-07-23 00:36:41.000000000 -0300
+++ libpng-1.6.18.usual/pngtest.c	2015-11-14 07:32:16.610930551 -0300
+#ifdef PNG_APNG_SUPPORTED
+   png_uint_32 num_frames;
+   png_uint_32 num_plays;
+#endif
+#ifdef PNG_APNG_SUPPORTED
+   if (png_get_valid(read_ptr, read_info_ptr, PNG_INFO_acTL))
+   {
+      if (png_get_acTL(read_ptr, read_info_ptr, &num_frames, &num_plays))
+      {
+         png_byte is_hidden;
+         pngtest_debug2("Handling acTL chunks (frames %ld, plays %ld)",
+                    num_frames, num_plays);
+         png_set_acTL(write_ptr, write_info_ptr, num_frames, num_plays);
+         is_hidden = png_get_first_frame_is_hidden(read_ptr, read_info_ptr);
+         png_set_first_frame_is_hidden(write_ptr, write_info_ptr, is_hidden);
+      }
+   }
+#endif
+#ifdef PNG_APNG_SUPPORTED
+   if (png_get_valid(read_ptr, read_info_ptr, PNG_INFO_acTL))
+   {
+      png_uint_32 frame;
+      for (frame = 0; frame < num_frames; frame++)
+      {
+         png_uint_32 frame_width;
+         png_uint_32 frame_height;
+         png_uint_32 x_offset;
+         png_uint_32 y_offset;
+         png_uint_16 delay_num;
+         png_uint_16 delay_den;
+         png_byte dispose_op;
+         png_byte blend_op;
+         png_read_frame_head(read_ptr, read_info_ptr);
+         if (png_get_valid(read_ptr, read_info_ptr, PNG_INFO_fcTL))
+         {
+            png_get_next_frame_fcTL(read_ptr, read_info_ptr,
+                                    &frame_width, &frame_height,
+                                    &x_offset, &y_offset,
+                                    &delay_num, &delay_den,
+                                    &dispose_op, &blend_op);
+         }
+         else
+         {
+            frame_width = width;
+            frame_height = height;
+            x_offset = 0;
+            y_offset = 0;
+            delay_num = 1;
+            delay_den = 1;
+            dispose_op = PNG_DISPOSE_OP_NONE;
+            blend_op = PNG_BLEND_OP_SOURCE;
+         }
+#ifdef PNG_WRITE_APNG_SUPPORTED
+         png_write_frame_head(write_ptr, write_info_ptr, (png_bytepp)&row_buf,
+                              frame_width, frame_height,
+                              x_offset, y_offset,
+                              delay_num, delay_den,
+                              dispose_op, blend_op);
+#endif
+         for (pass = 0; pass < num_pass; pass++)
+         {
+            pngtest_debug1("Writing row data for pass %d", pass);
+            for (y = 0; y < frame_height; y++)
+            {
+#ifndef SINGLE_ROWBUF_ALLOC
+               pngtest_debug2("Allocating row buffer (pass %d, y = %ld)...", pass, y);
+               row_buf = (png_bytep)png_malloc(read_ptr,
+                  png_get_rowbytes(read_ptr, read_info_ptr));
+               pngtest_debug2("0x%08lx (%ld bytes)", (unsigned long)row_buf,
+                  png_get_rowbytes(read_ptr, read_info_ptr));
+#endif /* !SINGLE_ROWBUF_ALLOC */
+               png_read_rows(read_ptr, (png_bytepp)&row_buf, NULL, 1);
+
+#ifdef PNG_WRITE_SUPPORTED
+#ifdef PNGTEST_TIMING
+               t_stop = (float)clock();
+               t_decode += (t_stop - t_start);
+               t_start = t_stop;
+#endif
+               png_write_rows(write_ptr, (png_bytepp)&row_buf, 1);
+#ifdef PNGTEST_TIMING
+               t_stop = (float)clock();
+               t_encode += (t_stop - t_start);
+               t_start = t_stop;
+#endif
+#endif /* PNG_WRITE_SUPPORTED */
+
+#ifndef SINGLE_ROWBUF_ALLOC
+               pngtest_debug2("Freeing row buffer (pass %d, y = %ld)", pass, y);
+               png_free(read_ptr, row_buf);
+               row_buf = NULL;
+#endif /* !SINGLE_ROWBUF_ALLOC */
+            }
+         }
+#ifdef PNG_WRITE_APNG_SUPPORTED
+         png_write_frame_tail(write_ptr, write_info_ptr);
+#endif
+      }
+   }
+   else
+#endif
--- libpng-1.6.18.new/pngwrite.c	2015-11-14 07:31:41.231754120 -0300
+++ libpng-1.6.18.usual/pngwrite.c	2015-11-14 07:32:16.610930551 -0300
-   if ((info_ptr->valid & PNG_INFO_acTL) != 0)
-      png_write_acTL(png_ptr, info_ptr->num_frames, info_ptr->num_plays);
+      if (info_ptr->valid & PNG_INFO_acTL)
+         png_write_acTL(png_ptr, info_ptr->num_frames, info_ptr->num_plays);
-#ifdef PNG_WRITE_APNG_SUPPORTED
-   if (png_ptr->num_frames_written != png_ptr->num_frames_to_write)
-      png_error(png_ptr, "Not enough frames written");
-#endif
-
+#ifdef PNG_WRITE_APNG_SUPPORTED
+   if (png_ptr->num_frames_written != png_ptr->num_frames_to_write)
+      png_error(png_ptr, "Not enough frames written");
+#endif
+
+#ifdef PNG_WRITE_APNG_SUPPORTED
+void PNGAPI
+png_write_frame_head(png_structp png_ptr, png_infop info_ptr,
+    png_bytepp row_pointers, png_uint_32 width, png_uint_32 height,
+    png_uint_32 x_offset, png_uint_32 y_offset,
+    png_uint_16 delay_num, png_uint_16 delay_den, png_byte dispose_op,
+    png_byte blend_op)
+{
+    png_debug(1, "in png_write_frame_head");
+
+    /* there is a chance this has been set after png_write_info was called,
+    * so it would be set but not written. is there a way to be sure? */
+    if (!(info_ptr->valid & PNG_INFO_acTL))
+        png_error(png_ptr, "png_write_frame_head(): acTL not set");
+
+    png_write_reset(png_ptr);
+
+    png_write_reinit(png_ptr, info_ptr, width, height);
+
+    if ( !(png_ptr->num_frames_written == 0 &&
+           (png_ptr->apng_flags & PNG_FIRST_FRAME_HIDDEN) ) )
+        png_write_fcTL(png_ptr, width, height, x_offset, y_offset,
+                       delay_num, delay_den, dispose_op, blend_op);
+
+    PNG_UNUSED(row_pointers)
+}
+
+void PNGAPI
+png_write_frame_tail(png_structp png_ptr, png_infop info_ptr)
+{
+    png_debug(1, "in png_write_frame_tail");
+
+    png_ptr->num_frames_written++;
+
+    PNG_UNUSED(info_ptr)
+}
+#endif /* PNG_WRITE_APNG_SUPPORTED */
-
-#ifdef PNG_WRITE_APNG_SUPPORTED
-void PNGAPI
-png_write_frame_head(png_structp png_ptr, png_infop info_ptr,
-    png_bytepp row_pointers, png_uint_32 width, png_uint_32 height,
-    png_uint_32 x_offset, png_uint_32 y_offset,
-    png_uint_16 delay_num, png_uint_16 delay_den, png_byte dispose_op,
-    png_byte blend_op)
-{
-    png_debug(1, "in png_write_frame_head");
-
-    /* there is a chance this has been set after png_write_info was called,
-    * so it would be set but not written. is there a way to be sure? */
-    if ((info_ptr->valid & PNG_INFO_acTL) == 0)
-        png_error(png_ptr, "png_write_frame_head(): acTL not set");
-
-    png_write_reset(png_ptr);
-
-    png_write_reinit(png_ptr, info_ptr, width, height);
-
-    if ((png_ptr->apng_flags & PNG_FIRST_FRAME_HIDDEN) == 0 ||
-        png_ptr->num_frames_written != 0)
-        png_write_fcTL(png_ptr, width, height, x_offset, y_offset,
-                       delay_num, delay_den, dispose_op, blend_op);
-
-    PNG_UNUSED(row_pointers)
-}
-
-void PNGAPI
-png_write_frame_tail(png_structp png_ptr, png_infop info_ptr)
-{
-    png_debug(1, "in png_write_frame_tail");
-
-    png_ptr->num_frames_written++;
-
-    PNG_UNUSED(info_ptr)
-}
-#endif /* WRITE_APNG */
--- libpng-1.6.18.new/pngwutil.c	2015-11-14 07:31:41.233754073 -0300
+++ libpng-1.6.18.usual/pngwutil.c	2015-11-14 07:32:16.610930551 -0300
-#ifdef PNG_WRITE_APNG_SUPPORTED
-         if (png_ptr->num_frames_written == 0)
-#endif
+#        ifdef PNG_WRITE_APNG_SUPPORTED
+            if (png_ptr->num_frames_written == 0)
+#        endif
-#ifdef PNG_WRITE_APNG_SUPPORTED
-         else
-            png_write_fdAT(png_ptr, data, size);
-#endif /* WRITE_APNG */
-
+#        ifdef PNG_WRITE_APNG_SUPPORTED
+            else
+               png_write_fdAT(png_ptr, data, size);
+#        endif /* PNG_WRITE_APNG_SUPPORTED */
-#ifdef PNG_WRITE_APNG_SUPPORTED
-         if (png_ptr->num_frames_written == 0)
-#endif
+#        ifdef PNG_WRITE_APNG_SUPPORTED
+            if (png_ptr->num_frames_written == 0)
+#        endif
-#ifdef PNG_WRITE_APNG_SUPPORTED
-         else
-            png_write_fdAT(png_ptr, data, size);
-#endif /* WRITE_APNG */
+#        ifdef PNG_WRITE_APNG_SUPPORTED
+            else
+               png_write_fdAT(png_ptr, data, size);
+#        endif /* PNG_WRITE_APNG_SUPPORTED */
-    if ((png_ptr->apng_flags & PNG_FIRST_FRAME_HIDDEN) != 0)
+    if (png_ptr->apng_flags & PNG_FIRST_FRAME_HIDDEN)
-#endif /* WRITE_APNG */
+#endif /* PNG_WRITE_APNG_SUPPORTED */
-        png_error(png_ptr, "width and/or height for a frame greater than "
+        png_error(png_ptr, "width and/or height for a frame greater than"
-#endif /* WRITE_APNG */
+#endif /* PNG_WRITE_APNG_SUPPORTED */

comment:3 by Fernando de Oliveira, 8 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:4 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

Patch released < 2 hours ago.

comment:5 by Fernando de Oliveira, 8 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r16661.

Note: See TracTickets for help on using tickets.